1 |
I was poking around my system today and noticed a log that I never knew |
2 |
existed. |
3 |
|
4 |
/var/log/pwdfail/* |
5 |
|
6 |
Much to my surprise, I see all these entries (hundreds) from some 'blankety |
7 |
blank blank' trying to hack my server!! |
8 |
|
9 |
daevid pwdfail # cat current |
10 |
Sep 17 13:00:25 [sshd(pam_unix)] authentication failure; logname= uid=0 |
11 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 |
12 |
Sep 17 13:00:27 [sshd] Failed password for invalid user webmaster from |
13 |
61.103.229.40 port 49431 ssh2 |
14 |
Sep 17 13:00:29 [sshd(pam_unix)] authentication failure; logname= uid=0 |
15 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 |
16 |
Sep 17 13:00:31 [sshd] Failed password for invalid user oracle from |
17 |
61.103.229.40 port 49556 ssh2 |
18 |
Sep 17 13:00:33 [sshd(pam_unix)] authentication failure; logname= uid=0 |
19 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 |
20 |
Sep 17 13:00:35 [sshd] Failed password for mysql from 61.103.229.40 port |
21 |
49660 ssh2 |
22 |
Sep 17 13:00:37 [sshd(pam_unix)] authentication failure; logname= uid=0 |
23 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 user=root |
24 |
Sep 17 13:00:39 [sshd] Failed password for root from 61.103.229.40 port |
25 |
49769 ssh2 |
26 |
Sep 17 13:00:41 [sshd(pam_unix)] authentication failure; logname= uid=0 |
27 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 user=root |
28 |
Sep 17 13:00:43 [sshd] Failed password for root from 61.103.229.40 port |
29 |
49879 ssh2 |
30 |
|
31 |
I figure there should be a script someone has written that will parse this |
32 |
and automatically add these unique IP addresses (sans redundant ones) to my |
33 |
/etc/shorewall/blacklist |
34 |
|
35 |
Google for "shorewall pwdfail" doesn't have very many results though, and |
36 |
the ones there are in german or something. |
37 |
|
38 |
-- |
39 |
gentoo-user@g.o mailing list |